Partnership

Sharing cyber threat information among organizations broadly using common terminology and automation benefits everyone. By sharing, partners get threat information and tools they otherwise might not have access to. They also enhance their network defense by leveraging the cyber experiences and investments of their partners. Sharing can be particularly beneficial in cyber defense because threat groups attack sectors differently, using different tactics and techniques.

A Partnership Model for Sharing Cyber Threat Information

MITRE's approach for sharing cyber threat information among partners is based on analyzing a cyber attack "campaign." A cyber campaign consists of two parts: intrusion attempts and TTPs, or tactics, techniques, and procedures. Together, they reveal the adversary's method of attack. TTPs are the methods that a cyber attacker uses repeatedly over a series of related intrusion attempts. TTPs include target lists and how they are compiled; tools, nodes, and accounts; and how they are used at each stage of the "kill chain.”

Figure: Components of Structured Cyber Threat Information

An intrusion attempt consists of the distilled parts and telltale signs of a cyber attack. This can include what domains are used to launch attacks and host command and control channels, what email sources are discernible, and what intelligence can be obtained from malware samples used in the attack.

TTPs consist of the tools, the targeted entities and infrastructure elements, and the cyber attack lifecycle phase the cyber attacker is using to conduct a series of related intrusion attempts.

Because information about attempted intrusions doesn't reveal an organization's vulnerabilities, it can generally be shared with partners to provide them with defensive value at a modest level of risk and effort.

Sharing TTP information provides far greater defensive value to members. But it puts the contributing partner at greater risk if it reveals the organization's threat-based defensive capabilities. In addition, TTP information requires greater effort to produce because large volumes of data must be collected over time, followed by sophisticated analyses.

Partnership Resources

A number of groups have formed or are forming to share cyber threat information. While some of these groups restrict membership by sector (such as defense industrial base or financial services), others have broad-based memberships.

Groups MITRE belongs to include:

The Advanced Cyber Security Center, a cross-sector collaborative initiative in New England. The ACSC brings together industry, university, and government organizations.

The Federally Funded Research and Development Center Information Security Collaborative. The collaborative is an informal consortium of information security representatives from FFRDCs and similar not-for-profit institutions operating in the national interest. The group shares information about cyber threats and security practices.

Additionally, we work closely with the Department of Homeland Security to build a more secure national cyber ecosystem by involving private firms, non-profits, governments, and individuals in countering cyber attacks.

Stay Safe Online

MITRE is fully committed to defending and securing our cyber ecosystem. We see education and awareness as key to the ability of all citizens to take control of their cyber lives. Get the latest tips and advice as a digital citizen from one of our trusted partners, the National Cyber Security Alliance of America.

MITRE intends to maintain a website that is fully accessible to all individuals. If you are unable to search or apply for jobs and would like to request a reasonable accommodation for any part of MITRE’s employment process, please contact MITRE’s Recruiting Help Line at 703-983-8226 or email at recruitinghelp@mitre.org